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@ Multilevel security apparatus and method with personal key. 



® A method and apparatus concerning electronic 
financial transaction processing systems used by 
customers of certain credit or electronic banking 
card-issuing Institutions are disclosed. The present 
invention involves two levels of secure interaction 
between the customer and the card-issuing institu- 
tion. The first level of interaction involves the enroll- 
ment of a customer in the institution's electronic 
financial transaction processing system. The cus- 
tomer either selects or is issued a personal iden- 
tification number and a card encoded with a per- 
sonal key. The personal key and personal identifica- 
tion number are used to generate a PIN transmission 
number and personal verification number, which is 
stored in bank records. The second level of inter- 
CM action involves the authorization of a customer's use 
^of the electronic financial transaction processing sys- 
Qtem for executing an electronic transaction. The cus- 
Otomer enters his personal identification number and 
"^the system reads his encoded card, both of which 
tf)are used to generate a candidate PIN transmission 
00 number. The candidate PIN transmission number is 
W transmitted to a remote processing center by com- 
Oputer network. The system, at the remote processing 
-^center, generates a candidate personal verification 
Qj number using the transmitted candidate PIN trans- 
mission number and compares the candidate PIN 



transmission number for parity with a PIN transmis- 
sion number stored in the institution's records. 
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MULTILEVEL SECURITY APPARATUS AND METHOD WITH PERSONAL 



BACKGROUND OF THE INVENTION 



This invention relates to the field of electronic 
financial transaction processing and. more specifi- 
cally, to a method and means for securing elec- 
tronic financial transaction processing systems uti- 
lizing conventional computer networks for transmis- 
sion of data from a remote terminal to a host 
computer system. 

The advent of electronic financial transaction 
processing has precipitated an unprecedented rev- 
olution in the manner in which commercial transac- 
tions are conducted. Transactions which previously 
required the physical transfer of currency or com- 
mercial paper, such as bank checks, are now ex- 
ecuted electronically using computers. 

Over the past several years, electronic financial 
transaction processing has become commonplace. 
Ordinary consumers may now purchase groceries, 
gasoline, and airline tickets using an automated 
teller card or credit card issued to them by their 
respective banks. In using electronic financial trans- 
action processing to purchase such goods and 
services, consumers electronically transfer funds 
from their own bank or credit account to the ac- 
count of the respective vendor. Hence, electronic 
financial transaction processing eliminates the con- 
sumer's need to carry currency or checks. 

Electronic financial transaction processing, as 
implemented in the context of common consumer 
use. is generally implemented in one of two ways. 

The first most common implementation of elec- 
tronic financial transaction processing is the auto- 
mated teller machine, commonly referred to as an 
ATM. Over the past several years, the use of ATMs 
has become so widespread that it is virtually an 
indispensable convenience which banking custom- 
ers have come to expect as a standard banking 
service. Generally accessible twenty-four hours a 
day, ATMs are commonly located at the bank site 
or in consumer-populated areas such as shopping 
centers or airports. The banking customer can use 
the ATM to perform most routine banking transac- 
tions such as deposits and withdrawals, account 
balance updates, credit card payments and so 
forth. 

The second most common implementation of 
electronic financial transaction processing is the 
point-of-sale terminal, commonly referred to as a 
POS terminal. Currently, point-of-sale terminals are 
most commonly found at gasoline stations and 
grocery stores. Rather than paying for purchases 
by check or with cash, consumers use their elec- 
tronic banking card or credit card to "pay" for their 



purchase by electronically transferring funds from 
their own account to the vendor's account. Accord- 
ingly, consumers may shop and travel without the 
requirement that they carry a large amount of cash 

5 in order to make purchases. 

Electronic financial transaction processing, 
however, has created a wide variety of security 
problems unique to the art. While electronic finan- 
cial transaction processing is highly desirable due 

10 to the the elimination of the requirement of carrying 
cash to make purchases and is an efficient way to 
accomplish transactions without substantial human 
intervention, security concerns are of paramount 
importance as the potential for abuse is consider- 

;5 able. Unauthorized persons, commonly referred to 
in the trade as "adversaries." could gain access to 
the elecuonic financial transaction processing sys- 
tem and conduct a wide variety of damaging fraud- 
ulent transactions. Hence, as the vault is critical to 

20 -the protection of currency and commercial paper, 
an effective means of securing the electronic finan- 
cial transaction processing system is likewise es- 
sential to the electronic financial transaction pro- 
cessing art. 

25 In most existing electronic financial transaction 
processing systems, the bank or other card-issuing 
institution issues- the customer a card which has 
been magnetically encoded with the user's account 
number. The bank likewise issues or permits the 
30 customer to select a personal identification number 
(PIN), known only to the customer, to be used in 
authorizing the customer's access to the electronic 
financial transaction processing system at the time 
of a given transaction. Normally, the PIN Is memo- 
35 rized by the customer. The PIN and card enable 
customer access to the system and, when properly 
used by the individual, provide the desired access 
to the system. 

When a customer desires to perform an elec- 
40 tronic transaction in such a prior art system, he will 
enter his PIN at the ATM or POS terminal by the 
customer prior to proceeding with the transaction. 
This ATM or POS terminal also will read the card 
of the individual keying in the PIN. An identity 
45 verification is then typically accomplished by a 
comparison of the PIN or other number derived 
from the PIN and the customer's account number 
with the records of the issuing institution. Accord- 
ingly, the PIN, which is the basis for the verification 
50 process, must usually be transmitted from the ATM 
or POS terminal to a remote processing station for 
processing. 

Although the above-described card and PIN 
system provides some protection, this system 
alone is not sufficiently secure to confidently main- 
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tain the integrity of the electronic financial transac- 
tion processing system. 

The system is vulnerable, if, for example, the 
PIN itself is transmitted in an unencrypted state to 
a remote processing station. An adversary monitor- 
ing the transmission lines or other channel of com- 
munication could intercept the PIN and. using this 
information, be able to gain unauthorized access to 
the customer's accounts. Hence, it is not desirable 
to transmit the PIN from the ATM or POS terminal 
to the remote processing station. 

Consequently, in many existing systems the 
PIN Is transmitted from the ATM or POS terminal 
in encrypted form, in such a system, the PIN is 
encrypted using a number, known as a "key." to 
produce an encrypted PIN. Theoretically, the PIN. 
when it is transmitted to the remote processing 
station, is secure because it has been encrypted 
using a key known only to the card-issuing institu- 
tion. However, if an adversary ascertains the key, 
the system is no longer secure as the PIN may be 
determined if the encryption process can be re- 
versed. 

Unlawful acquisition of the key is a particular 
problem in the POS terminal environment In the 
POS terminal environment, the key is typically resi- 
dent within the terminal itself so as to enable on- 
site encryption prior to transmission. Because the 
POS terminal units are generally portable, there is 
a substantial risk that the terminal might be .stolen, 
disassembled and the key ascertained. In such a 
scenario, the system once again becomes vulner- 
able because an adversary could use the key to 
decrypt other transmitted encrypted PINs. 

The transmission of identification and transac- 
tion authorization data is usually accomplished uti- 
lizing a computer network. The ATM or POS termi- 
nal is generally a terminal in a larger data process- 
ing network wherein the transmitted PIN may be 
decrypted and re-encrypted several times before 
reaching the remote process station. 

In this network system, the remote processing 
station is electronically isolated from the POS ter- 
minal. Because the PIN is re-encrypted at various 
points along the network, the remote processing 
station, which may be located at the card issuing 
Institution, may have no knowledge as to the PIN 
encryption key resident within the ATM or POS 
terminal. The encrypted PIN. as it is received at 
various points along the network, is re-encrypted 
using a PIN encryption key unique to that point of 
transmission. 

The existing system, most particularly as ap- 
plied in the POS terminal environment, remains 
substantially vulnerable to unauthorized access by 
adversaries. Because the PIN, albeit encrypted un- 
der a number of different PIN encryption keys, 
itself is transmitted along the network, the PIN 



remains in constant danger of being captured by 
an adversary. As the encrypted PIN is decrypted 
and re-encrypted under several PIN encryption 
keys as it is transmitted through the network, the 

5 adversary consequently has several opportunities 
to capture the PIN at various points throughout the 
network. Moreover, the adversary need only as- 
certain one of these PIN encryption keys in order 
to capture the transmitted PIN. 

10 Because the security of the PIN encryption 
keys becomes as important as the security of the 
PIN itself, key management is a paramount con- 
cern. Management of these PIN encryption keys in 
a complex network can be a very formidable and, 

;5 in some instances, troublesome task. Accordingly, 
card-issuing institutions prefer isolating themselves 
from the network system from a key management 
perspective. 

Consequently, there is a great need in the art 
20 of electronic financial transaction processing for a 
user authorization system, particularly in the POS 
terminal environment, which minimizes the risk that 
the PIN will be captured as data is transmitted 
along a network. 

25 

SUMMARY OF THE INVENTION 



30 In accordance with the present invention, a 
method and means are provided for securing elec- 
tronic financial transaction processing systems 
used by customers of certain credit or electronic 
banking card-issuing institutions. Customers of the 
35 card issuing institutions use the electronic financial 
transaction processing system to execute a variety 
of transactions, including the electronic transfer of 
funds between various accounts maintained by the 
card-issuing institution. 
40 The present invention involves two levels of 
secure interaction between the customer and the 
card-issuing institution. The first level of interaction 
involves the enrollment of a customer in the institu- 
tion's electronic financial transaction processing 
45 system. The second level of interaction involves 
the authorization of a customer's use of the elec- 
tronic financial transaction processing system for 
executing an electronic financial transaction. 

Specifically, the present invention includes a 
50 novel method for the secure utilization of a cus- 
tomer's electronic financial transaction processing 
account. The method first includes an enrollment 
step including the following steps. First a personal 
key code to be assigned to the customer is gen- 
55 erated and a card assigned to the customer en- 
coded with a detectable code representative of the 
personal key code. An identifying code, such as a 
bank account number, is also assigned to the cus- 
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tomer by the card-issuing institution and encoded 
on the cutomer's card. A personal identification 
number selected by the customer is combined with 
the personal key in accordance with an irreversible 
logical encoding algorithm to produce a personal 
identification transmission number. The personal 
identification transmission number and the Identify- 
ing code assigned to the customer by the card- 
issuing institution are combined with an institutional 
key code associated with the card-issuing institu- 
tion in accordance witii another irreversible logical 
encoding algorithm to produce a personal iden- 
tification verification number. The personal iden- 
tification verification number is then stored for fu- 
ture access in records maintained by the card- 
issuing institution. 

The present Invention likewise pertains to a 
method for verifying the authority of a customer to 
complete a transact on using a card which has 
been issued to the customer by a card-issuing 
institution pursuant to the above-described enroll- 
ment method. In verifying the customer's authority 
to accomplish an electronic transaction, the method 
first includes the steps of sensing the personal key 
code and the identifying code recorded on the 
card. The customer seeking authorization likewise 
enters his personal identification number. A can- 
didate personal identification transmission number 
is generated at the time of the transaction by 
combining the candidate personal identification 
number and the identifying code with the personal 
key code in accordance with an irreversible logical 
encoding algorithm. The candidate personal iden- 
tification transmission number is transmitted to a 
remote transaction processing system at the card- 
issuing institution over a conventional computer 
network. The remote electronic financial transaction 
processing system combines the candidate per- 
sonal identification transmission number and the 
identifying code assigned to the individual, in ac- 
cordance with another logical encoding algorithm, 
with an institutional key code associated with the 
card-issuing institution to generate a candidate per- 
sonal identification verification number. 

The system compares the candidate personal 
identification verification number generated at tiie 
time of transaction with the personal identification 
verification number, stored by the card-Issuing in- 
stitution, which corresponds to the customer. If the 
candidate personal verification number and the 
stored number match, the transaction will be au- 
thorized to proceed. 

Consistent with tiie above-described method, 
the present invention also contemplates an appara- 
tus for encoding each of a plurality of cards, as- 
signed to the customers of card-issuing institijtions, 
for use in secure transactions. The apparatus in- 
cludes means for generating a personal key code 



that is to be assigned to the individual customer 
and a means for supplying an identifying code, 
such as a bank account number, which has been 
assigned to the customer by the card-issuing in- 
5 stitution. A keyboard or similar means for receiving 
data from the individual is also provided in order 
that the individual may enter his personal identifica- 
tion number, A transducer or similar means is 
provided for recording a detectable code repre- 
10 sentative of said personal key code upon the card. 

The apparatus likewise includes means for pro- 
ducing a personal identification transmission num- 
ber using a logical algorithmic combination of the 
personal identification number received from the 
;5 individual and the personal key code. The personal 
identification transmission number is supplied to a 
means for producing a personal identification ver- 
ification number, which means includes a logical 
algorithm for combining an institutional key code 
20 associated with the card-issuing institution, the per- 
sonal identification transmission number and the 
identifying code. 

Additionally, the apparatus includes storage 
means for storing the personal identification ver- 
25 ification number in records maintained by ttie card- 
issuing institution. 

Similarly, the invention likewise includes an ap- 
paratus for verifying the authority of a customer to 
complete a transaction in association with a card 
30 presented at the time of transaction. A detectable 
code representative of a personal key code and an 
identifying code assigned to the individual is re- 
corded upon the card in the manner previously 
described. The apparatus includes a keyboard or 
35 similar means for receiving a personal identification 
number from the customer known only to that 
customer and a transducer or similar means for 
sensing the encoded personal key code and the 
identifying code recorded on the card. 
40 Also included in the system is a means for 
generating a candidate personal identification trans- 
mission number using a logical algorithmic com- 
bination of the personal key code sensed from the 
card, the personal identification number received 
45 from the Individual and the identifying code. The 
candidate personal identification transmission num- 
ber is transmitted along a computer network or 
similar means for ti-ansmitting data to the card- 
issuing institution. 
50 Means are provided for generating a candidate 
personal identification verification number as a logi- 
cal algorithmic combination of an institutional key 
code associated with the card-issuing institution, 
the candidate personal identification transmission 
55 number received from the network and the identify- 
ing code. A comparator or similar comparison 
means for comparing the candidate personal iden- 
tification verification number with the previously 



12/10/2003. EAST version: 1.4.1 



7 



EP 0 385 400 A2 



8 



stored personal identification verification number 
associated with the customer is used to test for 
parity. 

The present invention provides a heretofore 
unknown method and apparatus for securing elec- 
tronic financial transaction processing systems by 
eliminating the requirement that the personal iden- 
tification number, encrypted or otherwise, be trans- 
mitted from the site of use to the remote card- 
issuing institution for authorization processing. In 
the present invention, the personal identification 
number is used only to irreversibly derive a PIN 
transmission number. It is the PIN transmission 
number, not the personal identification number, 
which is transmitted to the remote card-issuing 
institution for authorization processing. 

Because the personal identification number is 
used in an irreversible encryption process to derive 
the PIN transmission number, an adversary captur- 
ing the PIN transmission number would be unable 
to ascertain the personal identification number. 
Hence, after the PIN transmission number is de- 
rived by irreversible encryption, the personal iden- 
tification number, which is immediately erased from 
the volatile memory of the POS terminal, cannot be 
captured because it neither leaves the POS termi- 
nal unit nor is it retained in the terminal unit after 
the customer's transaction has been completed. 

Moreover, because each customer is assigned 
a personal key recorded only on his card, un- 
authorized acquisition of the POS terminal would 
not aid an adversary in his efforts to compromise 
the security of the system. The introduction of a 
second variable, i.e., the personal key. into the 
security scheme renders the system more secure 
as the adversary's task becomes more formidable. 
He must acquire both the customer's personal key 
and his or her personal identification number to 
obtain access to the electronic financial transaction 
processing system. 

Further, because the personal identification 
number is not transmitted, the previous security 
concerns regarding the repeated decryption and 
re-encryption under different PIN encryption keys 
at various points along the network are relaxed. 
Although the acquisition of a customer's PIN trans- 
mission number by an adversary would be un- 
desirable, such acquisition would not render the 
security of the system compromised as the ad- 
versary requires both the user's personal key and 
his personal identification number to invade the 
system. Neither of these numbers could be ascer- 
tained from the transmitted PIN transmission num- 
ber. 

Consequently, it is an object of the present 
invention to enable the secure transmission of elec- 
tronic financial transaction processing data authori- 
zation data along a conventional computer network 



system. 

It is a further object of the present invention to 
eliminate the requirement that the customer's per- 
sonal identification number, in encrypted form or 

5 otherwise, be transmitted along a conventional 
computer network. 

It is yet a further object of the present invention 
to inject a further dimension of security into an 
electronic financial transaction processing system 

w by maintaining two security parameters for each 
customer, i.e. both a personal identification number 
and a personal key. 

,5 BRIEF DESCRIPTION OF THE DRAWINGS 



Figure 1 is a flowchart diagram illustrating an 
embodiment of the customer enrollment process of 
20 the present invention. 

Figure 2 is a flowchart diagram illustrating an 
embodiment of the transaction authorization pro- 
cess of the present invention. 

Rgure 3 is a block diagram illustrating a 
25 typical computer network which might be used to 
transmit data in the present invention. 

Figure 4 is a block diagram of a system of 
the present invention. 

Figures 5A and 5B are block diagrams of an 
30 embodiment of the present invention. 

DETAILED DESCRIPTION OF THE DRAWINGS 

35 Figure 1 is a flowchart diagram of the system 
of the present invention which operates on the 
personal identification number of an individual, 
identification information furnished by an operator 
of the system, and a randomly generated personal 

40 key to enroll a customer in a card-issuing institu- 
tion's electronic financial transaction processing 
system. 

A customer, prior to enjoying the benefits of 
electronic financial transaction processing, must 

45 first enroll with a card-issuing institution. In the 
initial sign-on transaction, an individual may select 
any code word or set of numbers, or combination 
thereof, as his personal identification number, 
which he may preserve in total secrecy. Referring 

50 to Rgure 1 , the customer initially enters this secret 
personal identification number (hereinafter "PIN") 
at 2 into the system using any conventional data 
input means, such as a keyboard, telephone dial 
apparatus, or the like, not shown in Figure 1 . 

55 An operator of the system also enters an as- 
signed account number at 4. Additionally, the sys- 
tem includes a random number generator, not 
shown in Rgure 1. to randomly generate a personal 
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key. Kp. at 6. which is unique to the individual 
enrolling in the electronic financial transaction pro- 
cessing program. Thus, as shown at 8. the cus- 
tomer's PIN and all or part of the account number 
are concatenated in a conventional manner to pro- 
duce a concatenated PlN/account number data 
string. 

The concatenated PlN/account number data 
string and personal key are supplied to an encod- 
ing device for the reversible encryption of the data, 
shown at 10. to generate an encrypted personal 
key (hereinafter referred to as "E[Kp]"). The en- 
cryption step at 10 may be performed using a 
conventional National Bureau of Standards 
(hereinafter "NBS") data encryption integrated cir- 
cuit not shown in Rgure 1 , which is commercially 
available from Motorola, Inc. 

The encrypted personal key E[Kp] and the ac- 
count number are then recorded, at 12, on a card, 
not shown in Rgure 1, mechanically, optically, 
magnetically or the like, in a conventional manner, 
for use by the individual in a subsequent transac- 
tion. 

The concatenated PlN/account number data 
string is logically combined, at U, using a conven- 
tional exclusive OR function with the randomly gen- 
erated personal key. Kp. The concatenated 
PlN/account number data string and the logical 
combination of the concatenated PlN/account num- 
ber data string and personal key, Kp, shown at 14 
are supplied to an encoding device, not shown in 
Rgure 1. for irreversible encryption of the supplied 
data, shown at 16, to generate a first compiled 
code word or PIN transmission number (PTN). This 
irreversible encryption, at 16. may utilize an encod- 
ing device, not shown in Rgure 1. which may 
include a conventional NBS data encryption in- 
tegrated circuit, as noted above, and may be op- 
erated according to a known irreversible algorithm. 
An example of such an irreversible algorithm is 
disclosed in U.S. Patent No. 3,938,091 and U.S. 
Patent No. 4,198.619. 

The personal transmission number itself is then 
concatenated with the account number, at 18, in a 
conventional manner to produce a concatenated 
PTN/account number data string. A secret iden- 
tification key, known only by the card-issuing in- 
stitution at 20, and the concatenated PTN/account 
number data string, at 18. are supplied to an en- 
coding device, not shown in Rgure 1 , for irrevers- 
ible encryption, at 22. of the supplied data to 
generate a second compiled code word, or PIN 
verification number (PVN). This in-eversible encryp- 
tion at 22 may be accomplished by an encoding 
device, not shown in Rgure 1 , which may include a 
conventional NBS data encryption integrated cir- 
cuit, as discussed above, and may also be op- 
erated according to a known irreversible algorithm 



such as that disclosed in U.S. patent No. 3.938,091 
or U.S. patent No. 4.198.619. 

The personal verification number is stored, at 
24. in the card-issuing institution data base for 
5 access during subsequent transactions. The per- 
sonal verification number may, at the institution's 
option, be encrypted under a file storage key, not 
shown in Rgure 1 . and stored in the database by 
account number. 
70 Rgure 2 is a flow chart diagram of an embodi- 
ment of the present invention illustrating the pro- 
cess of executing a subsequent transaction utilizing 
the card upon which a personal key has been 
encrypted in the above described manner. A ous- 
ts tomer desiring to utilize electronic financial transac- 
tion processing, for example, to purchase goods 
using a POS terminal, not shown in Rgure 2. would 
have with him or her a card encoded in the manner 
previously described. The POS terminal, not shown 
20 in Rgure 2, reads the card mechanically, optically, 
magnetically or the like at 26, as appropriate, de- 
pending on the type of card used, in a conventional 
manner. 

As described previously, the card, not shown in 

25 Rgure 2. has been encoded with the customer's 
account number and an encrypted personal key E- 
[Kp]. The customer enters his personal identifica- 
tion number, at 28. referred to hereinafter as the ^ 
candidate PIN (PIN') on a keyboard or similar data 

30 entry device, not shown in Rgure 2. The keyed-in 
PIN and the account number that has been read 
from the card at 26 are concatenated in a conven- 
tional manner, at 30, to produce a concatenated 
account number/PlN' data string. The encoded per- 

35 sonal key, E[Kp]. read from the card at 26 and the 
concatenated account number/PIN' data string are 
supplied to a decoding device, not shown in Rgure 
2, for decryption, at 32. to generate a candidate 
personal key K p. 

40 The candidate personal key. Kp, is logically 
combined, at 34, using a conventional exclusive 
OR function with the concatenated account 
number/PIN' data string. The logical combination of 
the candidate personal key,^ Kp', and the concat- 

45 enated account number/PIN' data string are sup- 
plied to an encoding device, not shown in Rgure 2, 
for irreversible encryption, at 35, of the supplied 
data to generate a first compiled code word, or 
candidate personal transmission number (PTN ). 

50 This encoding means may include the aforemen- 
tioned NBS circuit and may encrypt the applied 
data according to an algorithm of the type de- 
scribed in the aforementioned U.S. Patent No. 
3.938,091, U.S. Patent No. 4,198.619. or the like. 

55 The candidate PIN transmission number and 
the account number read from the card are then 
transmitted, at 36. to the bank or other card issue 
using a conventional computer network. 



12/10/2003, EAST version: 1.4.1 



11 



EP 0 385 400 A2 



12 



A typical computer network used to transmit 
the type of data described immediately above is 
shown in block diagram form in Figure 3. The 
system shown in Rgure 3 is merely an example of 
the type of computer network which may be used 
to transmit the aforementioned data from the POS 
terminal to a remote processing station maintained 
by the card-issuing entity. Any number of computer 
networks could be used to accomplish the trans- 
mission of this data. 

The candidate personal transmission number 
and the customer's account number, not shown in 
Rgure 3. are encrypted at the POS terminal con- 
troller 38 under a PIN encryption key. KPEi, and 
transmitted along line 40 to a retail store computer 
42. The retail store computer 42 decrypts the data 
received from the POS terminal controller 38 and 
re-encrypts that data under the retail store com- 
puter PIN encryption key. KPEa. The retail store 
computer 24 transmits the data encrypted under 
KPEz along network transmission line 44 to a retail 
data center 46. The retail data center computer 46 
decrypts the data received from the retail store 
computer 42 and re-encrypts that data under a 
retail data center PIN encryption key. KPE3. The 
retail data center computer 46 transmits the data 
encrypted under KPE3. The retail data center com- 
puter 46 transmits the data encrypted under KPE3 
along network transmission line 48 to a merchant 
bank computer 50. Merchant bank computer 50 
decrypts the data received from the retail data 
center computer 46 and re-encrypts the data under 
a merchant bank PIN encryption key. KPE4. The 
merchant bank computer 50 transmits the data 
encrypted under KPE* to a financial switch 54 
along network transmission line 52. The financial 
switch 54. which might be a financial switch such 
as INTERLINK, decrypts the data received from 
merchant bank computer 50 and re-encrypts that 
data under a financial switch PIN encryption key, 
KPE5. The financial switch 54 transmits the data 
encrypted under KPEs to the card-issuing bank 58 
along network transmission line 56. The data en- 
coded by the financial switch 54 under KPEs is 
decrypted 60 at the card-issuing bank. The decryp- 
ted candidate PIN transmission number and ac- 
count number, not shown in Figure 3. are supplied 
to the electronic financial transaction processing 
system 62 for processing. 

Referring again to Figure 2. shown are the 
steps taken by the bank or other card issuer to 
verify the identity of the customer using his or her 
card in a financial transaction according to the 
present invention. First the candidate PIN transmis- 
sion number and customer account number are 
first concatenated, at 64. in a conventional manner 
to produce a concatenated PTN'/account number 
data string. A secret bank key, Ks. entered at 66 by 



the card-issuing institution, and the concatenated 
PTN'/account number data string are supplied to 
an encoding device, not shown in Rgure 2. for 
irreversible encryption, at 68. of the data to gen- 

s erate a second compiled code word or candidate 
PIN verification number (PVN'). The encoding de- 
vice, not shown in Rgure 2. may include the afore- 
mentioned NBS circuit and be operated according 
to a known irreversible algorithm such as the afore- 

10 mentioned algorithm disclosed in U.S. Patent No. 
3.938.091. and U.S. Patent No. 4.198.619. or the 
like. 

The system uses the account number read 
from the customer's card to search bank records. 

/5 at 70. for the PIN verification number (PVN) asso- 
ciated with the customer's account number. As 
previously discussed in connection with the enroll- 
ment process, the PVN, as shown in Rgure 1, was 
stored in the card-issuing institution's database at 

20 the time of enrollment for subsequent retrieval. 
Based upon the account number read from the 
card, the system will retrieve the PIN verification 
number, at 72, corresponding to the account num- 
ber read from the card As noted earlier, the stored 

25 PIN verification number may be stored in an en- 
crypted form. If such is the case, the encrypted 
PIN verification number will be decrypted under the 
appropriate file key. not shown in Figure 2, at the 
time of retrieval. 

30 The candidate PIN verification number and the 
PIN verification number retrieved from the 
database records are compared, at 74, in a con- 
ventional manner. If the candidate PIN verification 
number is identical to the PIN verification number 

35 retrieved from the bank database, the transaction 
will be authorized, shown at 76. and the customer 
is then free to access the electronic financial trans- 
action processing system. If. however, the can- 
didate PVN and the PVN retrieved from the bank 

40 database do not match, the customer's access to 
the electronic financial transaction processing sys- 
tem will be denied, as shown at 78. 

Figure 4 is a block diagram of the system of 
the present invention which enables a customer in 
45 a card-issuing institution's electronic financial trans- 
action processing system. It operates on the per- 
sonal identification number of the customer, the 
identification information furnished by an operator 
of the system, and a randomly generated personal 
50 key. 

As noted above, a customer, prior to enjoying 
the benefits of electronic financial transaction pro- 
cessing, must first enroll with a card-issuing institu- 
tion. In the initial sign-on transaction, the customer 
55 may select any code word or set of numbers, or 
combination thereof, as his personal identification 
number, which he may preserve in total secrecy. 
Referring to Figure 4. the customer initially enters 
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this secret personal identification number 
(hereinafter "PIN") into the system using any con- 
ventional data input means, such as keytx>ard 401. 
It is to be understood, however, that any conven- 
tional data input means such as a telephone dial 
apparatus, or the like, not shown in Rgure 1. may 
be used to input the PIN. 

An operator of the system also enters an as- 
signed account number at account number input 
403. Additionally, the system includes a random 
number generator 405 to randomly generate a per- 
sonal key. Kp that is unique to the individual enroll- 
ing In the electronic financial transaction process- 
ing program. Thus, the customer's PIN and all or 
part of the account number are concatenated in a 
conventional manner by concatenation circuit 407 
to produce a concatenated PIN/account number 
data string. 

The concatenated PIN/account number data 
string and persona! key are supplied to an encod- 
ing device 409 for the reversible encryption of the 
data to generate an encrypted personal key 
(hereinafter referred to as "E[Kp]"). Encoding de- 
vice 409 may include a conventional National Bu- 
reau of Standards (hereinafter "NBS") data encryp- 
tion Integrated circuit not shown in Figure 1, which 
is commercially available from Motorola, Inc. 

The encrypted personal key E[Kp] and the ac- 
count number are then recorded on card 411 using 
transducer 413. Although Figure 4 shows trans- 
ducer 413 to be a magnetic transducer system, it 
is to be understood that the recording may be 
accomplished mechanically, optically, magnetically 
or the like, in a conventional manner. Card 41 1 is 
then given to the customer for use by the individual 
in a subsequent transactions. 

The concatenated PIN/account number data 
string, which was concatenated by concatenation 
circuit 407. is logically combined, using a conven- 
tional exclusive OR circuit 415. with the randomly 
generated personal key. Kp. The concatenated 
PIN/account number data string and the logical 
combination of the concatenated PiN/account num- 
ber data string and personal key. Kp, are supplied 
to an encoding device 417 for irreversible encryp- 
tion of the data to generate a first compiled code 
word, or PIN transmission number (PTN). Encoding 
device 417 may include a conventional NBS data 
encryption integrated circuit, as noted above, and 
may be operated according to a known irreversible 
algorithm. An example of such an algorithm is 
disclosed in U.S. Patent No. 3,938.091 and U.S. 
Patent No. 4.198,619. 

The personal transmission number itself is then 
concatenated in the conventional manner with the 
account number by concatenation circuit 419 to 
produce a concatenated PTN/account number data 
string. A secret identification key. known only by 



the card-issuing institution, is input at bank key 
input 421. The secret identification key. input at 
bank key input 421. and the concatenated 
PTN/account number data string are supplied to an 

5 encoding device 423 for irreversible encryption of 
the supplied data to generate a second compiled 
code word or PIN verification number (PVN). En- 
coding device 423 may include a conventional NBS 
data encryption integrated circuit, as discussed 

w above, and may also be operated according to a 
known irreversible algorithm such as that disclosed 
In U.S. Patent No. 3.938.091 or U.S. Patent No. 
4.198.619. 

The personal verification number is stored in 
15 the card-issuing Institution data base computer 425 
for access during subsequent transactions. The 
personal verification number may. at the institu- 
tion's option, be encrypted under a file storage key. 
not shown in Rgure 4, and stored in the database 
20 by account number. 

Figures 5a and 5b are block diagrams of an 
embodiment of the present invention which illus- 
trates the apparatus used to execute a subsequent 
transaction utilizing the card upon which a personal 
25 key has been encrypted. 

Referring to Figure 5a, the portion of the pre- 
ferred embodiment of the present invention in- 
stalled at the transaction site is shown. A customer 
desiring to utilize electronic financial transaction 
30 processing to purchase goods, for example, using 
a POS terminal is usually requested at the time of 
transaction to produce his card, which presumably 
has been encoded in the manner previously de- 
scribed. The POS terminal 501, which includes 
35 keypad 502 and card reader 504. reads the card 
506. It is to be understood that the card reader 
504. although shown in Figure 5a to be a magnetic 
card transducer, may be a mechanical, optical, 
magnetic or the like type of card reader, as appro- 
ve priate depending on the type of card used. 

As described previously, the card 506 has 
been encoded with customer's account number 
and an encrypted personal key E[Kp]. The cus- 
tomer enters a candidate personal identificatiori 
45 number (PIN') on keypad 502. The keyed in PIN 
and the account number read from the card are 
concatenated in the conventional manner by con- 
catenation circuit 508 to produce a concatenated 
account number/PIN' data string. The encoded per- 
50 sonai key. E[Kpl, read from the card 506 and the 
concatenated account number/PIN data string are 
supplied to a decoding device 510 for decryption. 
Decoding device 510 generates a candidate per- 
sonal key K p'. 
65 The candidate personal key, K p , is logically 
combined, using a conventional exclusive OR cir- 
cuit 512, with the concatenated account 
number/PIN' data string. The logical combination of 
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the candidate personal key,^ Kp". and the concat- 
enated account number/PIN' data string are sup- 
plied to an encoding device 514 for irreversible 
encryption of the data to generate a first compiled 
code word or candidate personal transmission 
number (PTn'). The encoding device 514 may 
include the aforementioned NBS circuit and may 
encrypt the applied data according to an algorithm 
of the type described in the aforementioned U.S. 
Patent No. 3.938.091 or U.S. patent No. 4,198.619 
or the like. 

The PTN- and the account number read from 
the card are then transmitted to the bank using a 
conventional computer network 516. 

Rgure 5b illustrates the portion of the preferred 
embodiment residing at the remote transaction pro- 
cessing station. Referring to Figure 5b, the can- 
didate PIN transmission number and customer ac- 
count number received from network 516 are con- 
catenated in the conventional manner by concat- 
enation circuit 518 to produce a concatenated 
PTN'^account number data string. A secret bank 
key. K^. entered by the card-issuing institution at 
bank key input 520. and the concatenated 
PTN'/account number data string are supplied to 
encoding device 522 for irreversible encryption of 
the supplied data to generate a second compiled 
code word or candidate PIN verification number 
(PVN'). The encoding device 522 may include the 
aforementioned NBS circuit and may be operated 
according to a known irreversible algorithm such as 
the aforementioned algorithm disclosed in U.S. Pat- 
ent No. 3,938.091. and U.S. Patent No. 4.198.619. 
or the like. 

The system uses the account number read 
from the customer's card to search bank records 
for the PIN verification number associated with the 
customer*s account number. As previously dis- 
cussed in connection with he enrollment process, 
the customer's PVN was stored in the card-issuing 
institution's database computer 425 at the time of 
enrollment for subsequent retrieval. Based upon 
the account number read from the card, the system 
will retrieve the PIN verification number, in the 
conventional manner, from database computer 425 
corresponding to the account number read from 
the card. 

As noted earlier, the stored PIN verification 
number may be stored in an encrypted form. If 
such is the case, the encrypted PIN verification 
number will be decrypted under the appropriate file 
key, not shown in Figure 5b. at the time of retrieval. 

The candidate PIN verification number and the 
PIN verification number retrieved from the 
database computer 425 are compared in a conven- 
tional manner by comparator device 524. If the 
candidate PIN verification number is identical to the 
PIN verification number retrieved from the bank 



database, the transaction will be authorized and an 
authorization signal transmitted to the POS termi- 
nal, not shown in Figure 5b. by computer network 
516. The customer is then free to access the 

5 electronic financial transaction processing system. 
If, however, there is no parity between the can- 
didate PVN and the PVN retrieved from the bank 
database, the customer's access to the electronic 
financial transaction processing system will be de- 

10 nied and a ''decline transaction" signal will be 
transmitted to the POS terminal, not shown in Rg- 
ure 5b. along computer network 516. 

Changes and modifications in the specifically 
described embodiments can be carried out without 

75 departing from the scope of the invention which is 
intended to be limited only by the scope of the 
appended claims. 

20 Claims 

1 . A method for encoding a card assigned by 
an entity to an individual for use in secured trans- 
actions, the method comprising the steps of: 

25 generating a personal key code assigned to the 
individual; 

encoding the card with a detectable code repre- 
sentative of said personal key code; 
combining in accordance with a first logical encod- 

30 ing combination a secret code received from the 
individual with the personal key code to produce a 
personal identification transmission code; 
combining in accordance with a second logical 
encoding combination the personal identification 

35 transmission code and an identifying code as- 
signed to the individual by the entity with an institu- 
tional key code associated with the entity to pro- 
duce a personal identification verification code; 
and. 

40 storing the personal identification verification code 
in records maintained by the entity. 

2. A method operable to verify the authority of 
an individual to complete a transaction in associ- 
ation with a card which is assigned by an entity to 

45 the individual, the card having recorded thereupon 
a detectable code representative of a personal key 
code and an identifying code assigned to the in- 
dividual, the entity having stored in it records a 
personal verification corresponding to the individ- 

50 ual, the method comprising the steps of; 

sensing the personal key code and the identifying 
code recorded on the card; 
generating a personal identification transmission 
code at the time of transaction by combining in 

55 accordance with a first logical encoding combina- 
tion a secret code received from the individual and 
the identifying code with the personal key code; 
transmitting the personal identification transmission 

10 
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code to the entity: 

generating a personal identification verification 
code at the time of transaction by combining in 
accordance with a second logical encoding com- 
bination the personal identification transmission 
code and the identifying code with an institutional 
key code associated with the enfity; 
comparing the personal identification verification 
code generated at the time of transaction with the 
stored personal identification verification code cor- 
responding to the individual; and transmitting a 
transaction authorization signal to the individual if 
the stored personal identification verification code 
identically compares with the personal identification 
verification code generated at the time of transac- 
tion. 

3. A method for encoding a card assigned by 
an entity to an individual for use in secured trans- 
actions, the method comprising the steps of: 
generating a personal key code assigned to the 
individual; 

combining in accordance with a first logical encod- 
ing combination a secret code received from the 
individual and an identifying code assigned to the 
individual by the entity with the personal key code 
to produce an encoded personal key code; 
encoding the card with a detectable code that is 
representative of said encoded personal key code; 
combining in accordance with a second logical 
encoding combination the secret code received 
from the individual with the personal key code to 
produce a personal identification transmission 
code; 

combining in accordance with a third logical encod- 
ing combination the personal identification trans- 
mission code and the identifying code with an 
institutional key code associated with the entity to 
produce a personal identification verification code; 
and. 

storing the personal identification verification code 
in records maintained by the entity. 

4. A method operable to verify the authority of 
an individual to complete a transaction in associ- 
ation with a card which is assigned by an entity to 
the individual, the card having recorded thereupon 
a detectable code representative of an encoded 
personal key code and an identifying code as- 
signed to the Individual, the entity having stored in 
its records a personal verification code correspond- 
ing to the individual, the method comprising the 
steps of: 

sensing the encoded personal key code and an the 
identifying code recorded on the card; 
reproducing the personal key code at the time of 
transaction by combining in accordance with a first 
logical decoding combination tiie encoded personal 
key code sensed from the card with a secret code 
received from the individual at the time of transac- 



tion; 

generating a personal identification transmission 
code at the time of transaction by combining in 
accordance with a first logical encoding combina- 
5 tion the secret code received from the individual 
and the identifying code with the personal key; 
transmitting the personal identification transmission 
code to the entity; 

generating a personal identification verification 

10 code at a time of transaction by combining in 
accordance with a second logical encoding com- 
bination the personal identification transmission 
code and the identifying code with an institutional 
key code the entity: and, 

15 comparing the personal identification verification 
code generated at the time of transaction with the 
stored personal identification verification code; and 
transmitting a transaction authorization signal to the 
individual if the stored personal identification ver- 

20 ification code identically compares witii the per- 
sonal identification verification code generated at 
the time of transaction, con-esponding to the in- 
dividual stored by the entity for parity as a con- 
dition for completing the transaction. 

25 5. Apparatus for encoding each of a plurality of 
cards assigned to individuals by an entity for use in 
secure transactions, the apparatus 
characterized by 

means (6) for generating a personal key code(Kp) 

30 assigned to an individual; 

means (2) for receiving from an individual a secret 
code (PIN) known only to that individual; 
transducer means (12) for recording a detectable 
code representative of said personal key code 

35 upon the card; 

means (16) for producing a persona! identification 
transmission code as a logical combination of the 
secret code (PIN) received from the individual with 
the personal key code (Kp); 

40 means (22) for producing a personal identification 
verification code as a logical combination of an 
institufional key code associated with the entity 
with the personal identification transmission code 
and a identifying code assigned to the individual by 

45 the entity; and, 

storage means (24) for storing the personal iden- 
tification verification code in records maintained by 
the entity. 

6. An apparatus for verifying the authority of an 
50 individual to complete a transaction in association 
with a card, the card having a detectable code 
representative of a personal key code and an iden- 
tifying code assigned to tiie individual recorded 
thereupon, the card being assigned by an entity to 
55 the individual, the entity having stored in its 
records a personal verifictaion code corresponding 
to the individual, characterized by 
means (28) for receiving from an individual a secret 
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code known only to that individual; 
transducer means (26) for sensing the personal key 
code and the identifying code recorded on the 
card; means (30 to 35) for generating a personal 
identification transmission code as a logical com- 
bination of the personal key code sensed from the 
card with the secret code received from the individ- 
ual and the identifying code: 
means (36) for transmitting the personal identifica- 
tion transmission code to the entity: 
means (68) for generating a personal identification 
verification code as a logical combination of an 
institutional key code associated with the entity and 
the personal identification transmission code and 
the identifying code; 

comparison means (74) for comparing the personal 
identification verification code generated at the time 
of transaction with a personal identification verifica- 
tion code associated with the individual and stored 
in records of the entity, said comparison means 
including means (76) for outputting a signal indicat- 
ing that these tow codes match. 

7. Apparatus for encoding each of a plurality of 
cards assigned to individuals by an entity for use in 
secure transactions, characterized by 
means for generating a personal key code as- 
signed to an individual; 

means for receiving from an individual a secret 
code known only to that individual; 
means for producing an encoded personal key 
code as a logical combination of the personal key 
code with a secret code received from the individ- 
ual and an identifying code assigned to the individ- 
ual by the entity; 

transducer means for encoding the card with a 
detectable code which is representative of said 
encoded personal key code; 
means for producing a personal identification trans- 
mission code as a logical combination of the secret 
code received from the individual with a personal 
key code; 

means for producing a personal identification ver- 
ification code as a logical combination of an institu- 
tional key code associated with the entity with the 
personal identification transmission code and the 
identifying code; and. 

storage means for storing the personal identifica- 
tion verification code in records maintained by the 
entity. 

8. An apparatus according to claim 6. 
characterized in that 

means (32.34) for reproducing the personal key 
code at the time of transaction as a logical com- 
bination of the encoded personal key code sensed 
from the card with the secret code received from 
the individual are provided and 
said comparison means includes means for output- 
ting a signal indicating transaction authorization 



upon a condition of identity between the stored 
personal identification verification code and the 
personal identification verification code generated 
at the time of transaction. 
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